Interview: GCA Operations Director Shehzad Mirza on the Effectiveness of the Defend and Deliver DMARC Bootcamp

In April we interviewed our GCA Operations Director Shehzad Mirza on the importance of DMARC and the then upcoming Defend and Deliver DMARC Bootcamp. Today he’s back to share his key takeaways and what’s up next for Secure Email.

Hi Shehzad - thanks for joining us again!

Hi Rodney and everyone!! It’s great to be here!

Shehzad, How successful was the Defend and Deliver Bootcamp?

Overall, I feel it was quite successful. Overall, we had more than 1,200 people register from 892 organizations across 23 countries for the May bootcamp. Of the 1,200-plus registrants, we had up to 650 people attend the webinars, with the first session drawing the highest attendance, and we maintained a 60% or higher attendance rate throughout the five weeks.

By the end of the bootcamp we had 60 domains out of 890 implement DMARC at various levels.

That’s great because we know DMARC is not always straightforward to implement and can risk interruption to email service if not configured correctly. What advice would you give organizations just starting out on the ‘journey’ and are there any aspects that tend to be more challenging than others?

My main piece of advice would be to get guidance and ask questions, whether it be from GCA or another organization with DMARC experience. It doesn’t hurt to ask for confirmation on the right policy to implement or recommendations on where to start.

The part that I have seen as the most challenging for many organizations is the report analysis. It’s not going to be straightforward for everyone. The key is getting the right report analysis tool, whether it be free or paid, and then again guidance on interpreting those reports.

The DMARC setup guide helps organizations move to policy none, why is it so important for organizations to keep going through quarantine to policy reject?

When set to policy none, all you are doing is putting the domain in what I like to call ‘monitor only’ mode (assuming you have reporting enabled). Being at policy none is just allowing you to receive reports and will tell the receiving end not to use DMARC to block any fraudulent messages using your domain name (other filters will still be used).

This is why making sure reporting must be enabled at level none, otherwise there is no point in creating a DMARC policy. Having a policy as follows “v=DMARC1; p=none;” is pointless.

By moving the policy up to quarantine and ultimately reject, you are now enforcing the DMARC policy, and messages will start to get blocked.

OK that makes sense - what’s next on the agenda for Secure Email and further DMARC deployment?

We will be holding another bootcamp series starting September 15th, as well as a few additional webinars before and after the bootcamp. So be on the lookout for those.

On July 14th, we are partnering with the Microsoft Digital Crimes Unit to present a session on Fighting Cyber Crime including BEC: A Perspective from Microsoft’s Digital Crimes Unit (DCU). Joachim Rosenoegger (Senior Manager of Investigations EMEA at Microsoft DCU) will provide insight on how to fight cybercrime, with a focus on phishing and business email compromise (BEC).

Please register here:

That’s awesome! What are a few ways organizations can find out more about our work on DMARC?

We have quite a few ways for organizations to find out more about our work on DMARC. Those are:

Thanks Shehzad and well done to everyone that took part in the Defend and Deliver Bootcamp! Please let us know what you thought of it - we have a growing community on the forum, those new to DMARC looking to find out more, bootcamp alumni keen to support others and DMARC experts able to advise on many different aspects of deployment! It would be great to have you join us on the dedicated DMARC forum: DMARC - GCA Community

Thank you Rodney and all those are viewing this.

I am available here via the Community Forum for any questions that you may have.